Cracking Passwords with Hashcat
Systems don't store original passwords, they store hashes. They look like this "f2477a144dff4f216ab81f2ac3e3207d". Hashing is a one way function, so you can't turn it back to password.
But you can make computer try every word in the dictionary, and tell if one matches. This article shows you how to do this with hashcat.
Introduction
Use of penetration testing techniques requires legal and ethical considerations. To safely use these tools, tactics and procedures, you might need to obtain contracts and permissions; and posses adequate technical skills. Check your local laws. To learn how to practice safely & legally, consider my penetration testing course.
Let's consider this easy hash 6b1628b016dff46e6fa35684be6acc96 . I'll tell you the answer in this article, so that you can easily test your environment. This test was done with Debian 11 Bullseye and requires basic command line skills.
Install Hashcat
Install the apps
$ sudo apt-get update
$ sudo apt-get -y install hashid hashcat wget
Create a new directory for our work
$ mkdir hashed
$ cd hashed
Get a big dictionary. Rockyou is probably the most popular
$ wget https://github.com/danielmiessler/SecLists/raw/master/Passwords/Leaked-Databases/rockyou.txt.tar.gz
$ tar xf rockyou.txt.tar.gz
$ rm rockyou.txt.tar.gz
It's just one word after another
$ head rockyou.txt
123456
12345
123456789
password
iloveyou
princess
1234567
rockyou
12345678
abc123
With over 14 million words
$ wc -l rockyou.txt
14344391 rockyou.txt
Identify Hash Type
Hashcat needs to know the type of the hash to crack, the number for the -m parameter. It's common to look at hashes really hard and compare them to 'hashcat --example-hashes'. However, there is an easy way
$ hashid -m 6b1628b016dff46e6fa35684be6acc96
Analyzing '6b1628b016dff46e6fa35684be6acc96'
[+] MD2
[+] MD5 [Hashcat Mode: 0]
[+] MD4 [Hashcat Mode: 900]
...
In hashid, -m parameter shows the number that's used in the actual cracking, the hashcat parameter with the same name -m. Often, the right type is among top three candidates. If not, you can rule out many candidates based on where the hash was obtained (Windows, Linux...).
Let's try with md5, as it's a very common hash compared to md2 and md4.
Crack the Hash
$ hashcat -m 0 '6b1628b016dff46e6fa35684be6acc96' rockyou.txt -o solved
The command means
| Part of Command | Meaning |
|---|---|
| hashcat | the hash cracking program we just installed |
| -m 0 | type of the hash, the number we obtained from 'hashid' or 'hashcat --example-hashes' |
| '6b1628b016dff46e6fa35684be6acc96' | the hash we want to crack. Put single quotes around it, as many hashes contain special characters. |
| -o solved | save the solution as plain text to a new file "solved" in working directory |
After a moment, hashcat is done. So what's the password?
$ cat solved
6b1628b016dff46e6fa35684be6acc96:summer
So it's "summer". The time to hack outside with a laptop. Well done, hash cracked.
What Did Hashcat Say?
Let's quickly look at the output we got. I've only included the interesting lines here.
$ hashcat -m 0 '6b1628b016dff46e6fa35684be6acc96' rockyou.txt -o solved
...
Status...........: Cracked
Hash.Type........: MD5
Hash.Target......: 6b1628b016dff46e6fa35684be6acc96
[..]
Speed.Dev.#1.....: 37401.1 kH/s (4.60ms)
| Output | Meaning |
|---|---|
| Status: Cracked | We got the password, and it's stored in "solved" |
| Hash.Type: MD5 | This is what we chose with 'hashcat -m 0 ...' |
| Hash.Target: 6b1628b016dff46e6fa35684be6acc96 | The hash we gave when calling hashcat |
| Speed.Dev.#1: 37401.1 kH/s (4.60ms) | How fast did it go? This is 37 million words tried per second |
In this exercise, the correct word is in RockYou dictionary, and you will crack it. In some other exercise, you might get "Status: Exhausted" instead of "Cracked". That would mean that all words in the dictionary were tried, but none of them worked.
Where did the solution go?
If you said "-o solved", it's in that file. 'cat solved'.
If you already cracked it, but did not specify a file, you can see it with "--show":
$ hashcat -m 0 6b1628b016dff46e6fa35684be6acc96 rockyou.txt
... INFO: All hashes found in potfile! Use --show to display them. ...
$ hashcat -m 0 6b1628b016dff46e6fa35684be6acc96 rockyou.txt --show
6b1628b016dff46e6fa35684be6acc96:summer
Can I Make It Go Faster?
Yes, just run it on your host OS, on real hardware and not a virtual machine. It will automatically detect your display adapter (GPU) and use that for a huge speed boost.
It seems to work well with NVidia proprietary drivers and CUDA support. (Yes, unfortunately NVidia drivers are not open source).
What Next?
Learn to write your own dictionaries.
Try an easy, beginner friendly CTF (capture the flag game).
Be safe, ethical and legal. Only work with you own hashes or given practice targets in CTFs.
Come to my penetration testing course to lean more.
Join my mailing list to hear about interesting events and tips.
Adminstrivia
This article has been updated after publishing.